ASA-SSM-20 on the active failover configuration

Similar Questions

• Do I need two AIP - SSM modules if I'm failover configuration?

  Is it possible to use a single module AIP - SSM in two ASA that is configured in active / standby?

  I would like to configure the module in the first ASA with the relief setting.  Then, if the ASA first fails, I could physically remove the module AIP - SSM and place it in the second ASA.

  Would there be problems, configure it in this way?

  Would be the active / standby ASA complaining that there is that one module AIP - SSM?

  Thanks in advance.

  Hello

  You must have an AIP - SSM on two SAA in order to be able to run the failover, without it failover will not come to the top (because of incompatibility of hardware)

  Kind regards

  Julio

• Active/active failover configuration LAN-based PIX / ASA

  Hi all

  I would like to ask, if there is a restriction of length between the two ASA5510 in a LAN failover? Should not be, or I'm wrong?

  Thank you

  Norbert

  Hello

  normal duration of 100 m Ethernet. Or you can use the switches between them. I do not have a direct link.

  Best regards, Celio

• Update license of IPS ASA - SSM

  Hello

  We have an ASA-SSM-20 IPS, the license has expired and we purchased a Smartnet contract for the device.

  I would like to know how to upgrade the license.

  We tried to do the ASDM, and chose the option updates to cisco.com.we got the following error.

  internal error. Unable to send the license request. -4: unable to proxy transparent tunnel. Proxy returns "HTTP/1.1 403 Forbidden.

  How to solve this problem or how to do when you use the other option, how to get the license file.

  Best regards

  It seems that your AIP-SSM20 is configured to use an http proxy to connect to the Internet. If you allow the IP address of the AIP-SSM20 management in your web proxy, it may solve your problem.

  If this isn't the issue, you can always apply a license manually. Download your license file here:

  https://Tools.Cisco.com/swift/LicensingUI/home

  and apply via the ASDM or the CLI

  -Bob

• on the stateful failover active / standby

  Hello guys.

  I have two ASA, same model and material. ASA have configured stateful failover active / standby by someone a few years ago. It worked normally until recently and no one changed the configuration. Then the secondary unit can't. Ping between 2 interfaces is ok. Please help me solve this problem.

  on the main site

  interface Management0/0

  STATE failover Interface Description

  management only

  interface GigabitEthernet1/1

  Failover LAN Interface Description

  failover

  primary failover lan unit

  failover lan interface failover GigabitEthernet1/1

  The link with failover Management0/0 status

  failover failover interface ip 172.16.1.1 255.255.255.0 ensures 172.16.1.2

  State of the failover interface ip 172.16.0.1 255.255.255.0 ensures 172.16.0.2

  on the secondary site

  interface Management0/0

  STATE failover Interface Description

  management only

  interface GigabitEthernet1/1

  Failover LAN Interface Description

  output of the show failover on PRIMARY

  Show execution of failover

  failover

  primary failover lan unit

  failover lan interface failover GigabitEthernet1/1

  The link with failover Management0/0 status

  failover failover interface ip 172.16.1.1 255.255.255.0 ensures 172.16.1.2

  State of the failover interface ip 172.16.0.1 255.255.255.0 ensures 172.16.0.2

  See the resumption of F1 #.

  Failover on

  Unit of primary failover

  Failover LAN interface: GigabitEthernet1/1 failover (maximum)

  Frequency of survey unit 1 seconds, 15 seconds holding time

  Survey frequency interface 5 seconds, 25 seconds hold time

  1 political interface

  Monitored 5 256 maximum Interfaces

  Version: Our 8.2 (2), Matt 8.2 (2)

  Last failover to: 08:03:11 ULAST January 1, 2003

  This host: primary: enabled

  Activity time: 5755203 (s)

  slot 0: ASA5550 hw/sw rev (status 2.0/8.2(2)) (upward (Sys)

  Interface Backup2 (10.2.5.1): Normal (pending)

  Internet (202.131.225.90) interface: No link (pending)

  Interface Backup1 (10.3.5.1): Normal (pending)

  The interface server (192.168.227.1): Normal (pending)

  Bank interface (10.20.1.1): Normal (pending)

  Slot 1: rev hw/sw ASA-SSM-4GE-INC (State of 1.0/1.0(0)10) (top)

  Another host: secondary - failed

  Activity time: 0 (s)

  slot 0: ASA5550 hw/sw rev (status 2.0/8.2(2)) (upward (Sys)

  Backup2 (0.0.0.0) interface: no connection (pending)

  Interface (0.0.0.0) Internet: No link (pending)

  Interface (0.0.0.0) Backup1: Normal (pending)

  The interface server (0.0.0.0): Normal (pending)

  Bank interface (0.0.0.0): Normal (pending)

  Slot 1: rev hw/sw ASA-SSM-4GE-INC (State of 1.0/1.0(0)10) (top)

  Failover stateful logical Update Statistics

  Link: State Management0/0 (top)

  Stateful Obj xmit rcv rerr xerr

  General 76184539 0 767513 6

  sys cmd 767328 0 767326 1

  up time         0          0          0          0

  RPC services 0 0 0 0

  25878669 0 11 5 TCP Conn

  Conn UDP 40545710 0 40 0

  ARP 8987688 0 136 tbl 0

  Xlate_Timeout 0 0 0 0

  Tbl IPv6 ND 0 0 0 0

  VPN IKE upd 1140 0 0 0

  VPN IPSEC upd 4004 0 0 0

  VPN CTCP upd 0 0 0 0

  VPN SDI upd 0 0 0 0

  VPN DHCP upd 0 0 0 0

  SIP session 0 0 0 0

  Logical update queue information

  Heart Max Total

  Q: recv 0 7 6522961

  Xmit Q: 0 34 106685671

  output of the secondary recovery

  See the resumption of F1 #.

  Failover on

  Secondary failover unit

  Failover LAN interface: GigabitEthernet1/1 failover (maximum)

  Frequency of survey unit 1 seconds, 15 seconds holding time

  Survey frequency interface 5 seconds, 25 seconds hold time

  1 political interface

  Monitored 5 256 maximum Interfaces

  Version: Our 8.2 (2), Matt 8.2 (2)

  Last failover at: 03:36:23 ULAST December 15, 2013

  This host: secondary - failed

  Activity time: 0 (s)

  slot 0: ASA5550 hw/sw rev (status 2.0/8.2(2)) (upward (Sys)

  Backup2 (0.0.0.0) interface: no connection (pending)

  Interface (0.0.0.0) Internet: No link (pending)

  Interface (0.0.0.0) Backup1: Normal (pending)

  The interface server (0.0.0.0): Normal (pending)

  Bank interface (0.0.0.0): Normal (pending)

  Slot 1: rev hw/sw ASA-SSM-4GE-INC (State of 1.0/1.0(0)10) (top)

  Another host: primary: enabled

  Activity time: 5743217 (s)

  slot 0: ASA5550 hw/sw rev (status 2.0/8.2(2)) (upward (Sys)

  Interface Backup2 (10.2.5.1): Normal (pending)

  Internet (202.131.225.90) interface: No link (pending)

  Interface Backup1 (10.3.5.1): Normal (pending)

  The interface server (192.168.227.1): Normal (pending)

  Bank interface (10.20.1.1): Normal (pending)

  Slot 1: rev hw/sw ASA-SSM-4GE-INC (State of 1.0/1.0(0)10) (top)

  Failover stateful logical Update Statistics

  Link: State Management0/0 (top)

  Stateful Obj xmit rcv rerr xerr

  General 765518 0 35843181 874

  sys cmd 765518 0 765516 0

  up time         0          0          0          0

  RPC services 0 0 0 0

  TCP 0 0 12671303 80 Conn

  UDP 0 0 13432853 133 Conn

  ARP 0 0 8968384 661 tbl

  Xlate_Timeout 0 0 0 0

  Tbl IPv6 ND 0 0 0 0

  VPN IKE 0 0 1137 upd 0

  VPN IPSEC 0 0 3988 upd 0

  VPN CTCP upd 0 0 0 0

  VPN SDI upd 0 0 0 0

  VPN DHCP upd 0 0 0 0

  SIP session 0 0 0 0

  Logical update queue information

  Heart Max Total

  Q: recv 0 9 72011189

  Xmit Q: 0 1 765518

  You have a couple no link on your high school as well as a message no link on your primary.

  Backup2 (0.0.0.0) interface: no connection (pending)

  Interface (0.0.0.0) Internet: No link (pending)

  I recommend that you check these cables.  Don't forget that if you changed the default configuration, a failure of the single, or problems of connectivity even interface between an interface on the two ASAs fail.

  If this does not help, try entering the command interface of the monitor for the interfaces.

  --
  Please do not forget to rate and choose a good answer

• Cisco ASA 8.4 Active Failover / standby with anyconnect local CA

  Hi Friend´s

  I hope you do well! I ve got a question, hope you can help me. I ve got an ASA 5550 with version 8.4 (6), it s focusing anyconnect VPN remote access who authenticate through certificate locally generated in ASA. We´ve got an another 5550 with the same hardware and same version, and we focus on the configuration of the failover. I ve heard of network other than it s engineers may not failover configuration when the ASA doing this local. Then I ve read full failover for version 8.4 operating guide (6) and I didn t find any restrictions on the local failover and CA working together. I m tests over the next weekend, but I would like to know from your experience, if I'm having problems on VPN connections or failover configuration.

  Please, do not hesitate to ask as much as necessary information. All comment and documentation will be appreciated.

  Best regards!

  It's the n: documentatio

   Does not support Active/Active or Active/Standby failover

  And on top of that, ASDM shows that "Local CA cannot be configured when failover is activated".

• ASA in transparent mode with LAN base active failover / standby?

  Is it possible to have a pair of the SAA in transparent mode with LAN-based failover active / standby? I configured the portion of failover and then configured the transparent mode and it erased my failover configuration. Is this supported configuration, and if so are there at - it an example?

  Thanks in advance

  Yes. It is possible to have a pair of ASA in transparent mode with LAN-based failover active/Standy. You must perform the configuration of failover after conversion of the appliance in transparent mode.

  I saw an example on the cisco site, but I'll give you an example of one of the projects I run. Infact its very easy to configure failover in transparent mode. Less work.

  I have listed the configs on both the firewall for your reference

  Main firewall

  ============

  interface GigabitEthernet0/0

  nameif outside

  security-level 0

  No tap

  !

  interface GigabitEthernet0/1

  nameif inside

  security-level 100

  No tap

  !

  interface GigabitEthernet0/2

  Shutdown

  No nameif

  no level of security

  !

  interface GigabitEthernet0/3

  Failover LAN Interface Description

  !

  192.168.9.2 IP address 255.255.255.0 watch 192.168.9.7

  failover

  primary failover lan unit

  local failover FAILINT GigabitEthernet0/3 network interface

  failover abcdef keys

  failover interface ip FAILINT 172.16.9.1 255.255.255.0 watch 172.16.9.7

  The secondary firewall

  =================

  failover

  secondary failover lan unit

  local failover FAILINT GigabitEthernet0/3 network interface

  failover abcdef keys

  failover interface ip FAILINT 172.16.9.1 255.255.255.0 watch 172.16.9.7

  int GigabitEthernet0/3

  No tap

  Hope the above helps.

• recharge an ASA - SSM the firewall itself effect?

  We lost the connection information for the IPS - SSM on our ASA 5520. It seems we should re image module with a version more recent software. It is currently not in use i.e. no rules for it on the firewall. This process will take the firewall offline at all?

  Sh command output:

  See the module of Firewall03 # 1

  Model serial number of map mod

  --- -------------------------------------------- ------------------ -----------

  1 ASA 5500 Series Security Services Module-20 ASA-SSM-20 xxxxxxx

  MAC mod Fw Sw Version Version Version Hw address range

  --- --------------------------------- ------------ ------------ ---------------

  1 001b.0ce2.xxxx to 001b.0ce2.xxxx 1.0 1.0 (11) 2 5,0000 E1

  The Application name of the SSM status Version of the Application of SSM mod

  --- ------------------------------ ---------------- --------------------------

  1 FPS up to 5.1 (5) E1

  Data on the State of mod aircraft compatibility status

  --- ------------------ --------------------- -------------

  1 up Up

  Firewall03 # display module 1 recover

  Module 1 retrieve parameters...

  Start the recovery Image: No.

  Image URL:ftp://0.0.0.0/ t

  Port IP address: 0.0.0.0

  IP gateway address: 0.0.0.0

  VLAN ID: 0

  No, it should not affect the operation of the firewall at all. He would suffer only if you use it inline with firm failure mode is activated.

• Step how to configure ASA 5500 Series Security Services Module-10 (model: ASA-SSM-10)

  Dear support,

  I need to configure Security Services Module-10 (model: ASA-SSM-10) on my ASA 5510 firewall. Could you provide configuration step and how to connect to the module?

  Here is the information on the module

  ciscoasa (config) # sh Details of module 1
  The details of the Service module, please wait...
  ASA 5500 Series Security Services Module-10
  Model: ASA-SSM-10
  Hardware version: 1.0
  Serial number: JAF1115066U
  Firmware version: 1.0 (11) 2
  Software version: 1.0000 E1
  MAC address range: 001a.e268.5aa9 to 001a.e268.5aa9
  App name: IPS
  App status. : to the top
  App status. / / Desc:
  App version: 1.0000 E1
  Data of aircraft status: Up
  Status: to the top
  Mgmt IP addr: 133.1.9.144
  Web to MGMT ports: 443
  Mgmt TLS enabled: true

  your help is very appreciate.

  Thank you

  Best regards

  Hi Sothengse,

  Please find the samlpe on AIP SSM module configurations. You can go through this to begin with.

  http://www.Cisco.com/c/en/us/support/docs/security/ASA-5500-x-series-NEX...

  https://www.YouTube.com/watch?v=FgYU5ZXwk4g

  Concerning

  Knockaert

• who can help me with "insufficient resources to meet the level of failover configured for vSphere HA.

  Hello world

  We tried to gif a 14GB of ram and make server complete a booking for her.
  This is a server for the exams and the vendor told us to do.

  I can't any more then 5500MB reservation on it, when I anymore that I get
  "Insufficient resources to meet the level of failover configured for vSphere HA.

  We have:

  2 X 5.1 ESXi hosts
  Each host has
  2 x processors (8 Cores each) with HT active.
  255,75 GB of Ram

  vSphere HA has been activated.
  Admission control policy is enabled and that the ability to failover is 1 host.

  What is the problem here?

  Thank you
  Ernst.

  
  

  Admission control policy is all about to give you the kind of guarantee that if the host failure happens then there will be enough resources to perform the successful failover.

  in simple terms, it comes to reserve the resources of failover.

  I would recommend going through the notion of vSphere HA, reduced control policy the following document.

  https://pubs.VMware.com/vSphere-60/topic/com.VMware.ICbase/PDF/vSphere-ESXi-vCenter-Server-60-availability-Guide.PDF

  From the Page number 22, the details that you need to study is given. Focus especially on part calculations Slot size of it.

  in your case you HA vSphere with number of failure of host to tolerate as admission control strategy defined.

  This means system will calculate CPU and memory slots out of the resources in your cluster, and the total number of units, it will keep some resources like reserved for failover, and others will be available to be used. It all depends on how much failure of hosts that you want to tolerate.

  now in your case, if you try to increase booking one of the virtual machine, which will then affect the number of locations in your environment, and so reserved ability to failover is violated, the system will not let you do what you want to do. As the energy on a virtual machine, or growing booking a powered VM etc..

  If you find that you have enough resources in your cluster and due to some virtual machines with very large cpu or memory reservation, number of places is less than you can still manage the settings some advanced in vSphere HA configuration, but I strongly recommend, try to take the help of someone who has done it before.

  also try to go through other admission control strategies which are explained in the document for more inputs.

• Programmatically change the Active Configuration results

  I use TestStand 2012 SP1.  I would like to be able to configure the Active Configuration to get results in the process template.  A station in market our sequential model would set sequential reports configuration as the current record while a station running that a batch model would fix the lot of the report as the configuration active.  In addition, if a station can be both, running the application can select the appropriate process template and he would then choose the appropriate reporting configuration.

  I have installation of configurations but need to know how to set the active configuration.  I don't want on a base by sequence, but rather at the level of the process template so that it is executed once and done.  This would allow developers to change their configuration, but still have the lot or creating sequential reports selected according to whether they are working on.

  Thank you.

  There are a few options here:

  1. Replace the ModelOptions plugin and change the setting for ModelPluginConfigurationToLoad to the appropriate configuration.
  
  
  2. Hardcode it in the callback in ModelSupport.seq.  This way if you've always wanted by automatic override features and call their own as they could.
  
  
  3. Hard-code this entry point for execution of Initialize just before the ModelOptions callback is called in ModelSupport.seq.  In this way the customer can always substitute and change it if they want.

  If it were me, I'd go with option 3 for your case.  You can use Parameters.ModelData.ModelType to determine which model they are running with.  Then, simply put Locals.ModelPluginConfigurationToLoad on the proper setup.

  Hope this helps,

• Not enough resources to meet the level of failover configured for vSphere HA

  I have a cluster of vSphere based 5.0 based on ESXi 5 knots 2.

  When I try to start a virtual machine, I get an error saying that there is "insufficient resources to meet the level of failover configured for vSphere HA.

  If I turn off an another VM the problem disappears and I can turn on my VM.

  If I try to turn on the virtual machine, I have already turned off, I get the error again.

  It seems obvious that there is a lack resources or some setting is misconfigured, but even after reading the forums and manuals, I am unable to locate the critical resource or parameter that is not correct.

  Based on my experience or vSphere server and ESXi servers are overloaded.

  I have an another similar cluster of hosting a larger number of virtual machines with no similar problem.

  This performance counter and this setting should check to identify the bottleneck?

  Concerning

  Marius

  To check reservations for virtual machines, I would select the Cluster in your vCenter inventory, then select the resources"" tab.  Which displays the child objects of the bunch (VMs, Resource Pools, vApps).  There you can watch settings of CPU resources and memory.  You'll want to watch the column of "Reserves".

  To find the size of the slot and places available, look at the tab "Summary" of your cluster.  There is a tile marked "vSphere HA.  In this mosaic, there will be a link for "Advanced Runtime Info" which will open a new window with the location information.

  When the Admission AP policy is set to "Number of failures of host cluster will tolerate", HA has a very pessimistic view of your resources, since it must be able to handle all the possibilities.

  Another option would be to change the admission control strategy in settings of Cluster HA to "percentage of resources reserved for failover.  It reserves a part of the resources for use by HA in the case of a failover, rather than trying to calculate the size of the individual virtual machines.  With a 2 cluster nodes, I think it a relatively safe bet to set these values to 50%, as your worst case scenario HA would be losing a single host on 2.

• How to control the activity of the client-to-site (IPSEC ASA)

  I have a client to site VPN configuration on my 5505 according to directives of the Chapter35 of the ASA8.x configuration guide.

  One thing I am not sure about is how can I control what VPN users can connect to? I see nothing in the config that binds inside the interface so that prevents them to connect to the DMZ as well? How to limit connectivity so they can only connect to a host on the inside? or a host on the inside and the other on the DMZ?

  Thank you

  According to me, is what you're looking for.

  http://www.Cisco.com/en/us/products/HW/vpndevc/ps2030/products_configuration_example09186a0080641a52.shtml

  It will be useful.

• ASA 5505 DMZ for the guest wireless access

  Hello

  Here is my delima:

  I'm deploying an Apple Airport Extreme BaseStation with Airport Express 7 "repeaters" throughout my network/building. Apple only allows only two wireless networks, public and private. Your selection of only can 192.168.x.x, 172.13.x.x or 10.10.x.x for each subnet. NO tagging VLAN.

  It wasn't my decision... Apple CEO hs fever.

  So Im stuck on how to implement this without VLAN. The comments/public subnet needs to be isolated outside access. While the private subnet requires access to both.

  Any suggestion would be greatly apprecaited.

  What will the Security Plus license allow me to do?

  Security over the license allows the use of circuits for the ASA 5505.  It also increases the maximum number of VLANS configurable at 20.  Allows active failover / standby and increases the number of authorized IPsec VPN tunnels.

  The problem with the basic license is that you can have 3 VLAN configured and the 3rd VLAN is a VLAN 'restricted '.  This means that you can not pass traffic to or from inside VLAN on the 3rd VLAN (or DMZ VLAN if you prefer to call it that.)  So this VLAN DMZ won't be able to communicate with the internet.

  So, if your private wireless network and the local network will be on the same subnet your public wireless network can be in VLAN 3.  If this isn't the case, you will need to get the security over the license.

  --
  Please do not forget to rate and choose a good answer

• ASA-SSM-10 improvement no license or signatures

  I successfully upgraded our ASA-5510 with the latest version of the software.

  Our IPS module however ASA-SSM-10 seems to be the settings to factory default with only an IP address that is configured without any permission or certificates. The ASA-SSM-10 module can be improved with the lack of licenses or certificates? In addition, by using PuTTY I am able to connect to the ASA-SSM-10 module and ping the module and my laptop that I have connected via the management port. I am unable to ping from the laptop to the module of ASA-SSM-10 well.

  Continuing the investigation in addition to the configuration of the management port IP address there is no VLAN, GW, image url or ip address of the configured port. Is there a simple way to upgrade the software on the ASA-SSM-10 without affecting our two ASA - 5510 that are configured for failover?

  I suppose I can do up to a VLAN, GW and port address to get my cell phone to ping to the ASA-SSM-10 module to upgrade without affecting our ASA-5510 that are configured for failover. ***

  You can attach more licenses for the legacy IPS until April 26. But the question is whether it is worth spending time and money in the present. The IPS legacy is dead and you should focus on firepower for IPS. But who does not work on your hardware.